Improper Access Control in WWBN AVideo's BlockonomicsYPT Plugin
CVE-2026-35448

3.7LOW

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35448?

The WWBN AVideo platform contains a significant security flaw in its BlockonomicsYPT plugin. In versions up to 26.0, the plugin's check.php endpoint erroneously exposes payment order data linked to any Bitcoin address without requiring user authentication. This endpoint, initially intended as an AJAX polling mechanism for the authenticated invoice.php page, fails to implement adequate access controls, allowing unauthorized users to retrieve payment records for any Bitcoin address utilized on the platform. This exposes sensitive financial information and poses serious risks to users' privacy and security.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-3...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35448 Data

JSON

Wwbn

What is CVE-2026-35448?

Affected Version(s)

References

CVSS V3.1

Timeline